feat: add GWS_API_BASE_URL for custom/mock endpoint support

When GWS_API_BASE_URL is set (e.g., http://localhost:8099), all API
requests are redirected to the custom endpoint and OAuth authentication
is skipped automatically. The real Discovery Document is still fetched
so the CLI command tree remains fully functional — only root_url and
base_url are rewritten to point at the custom endpoint.

A warning is printed to stderr on first use so the redirect is never
silent, mitigating the risk of malicious .env injection.

Changes:
- discovery.rs: add custom_api_base_url() with LazyLock caching and
  stderr warning; rewrite Discovery Document URLs when env var is set
- executor.rs: add resolve_auth() that skips OAuth for custom endpoints
- main.rs, mcp_server.rs: use resolve_auth() for consistent behavior

Author: xdotli

src/discovery.rs

@@ -183,7 +183,35 @@ pub struct JsonSchemaProperty {
     pub additional_properties: Option<Box<JsonSchemaProperty>>,
 }
 
+/// Cached custom API base URL, read once from the environment.
+/// Prints a warning on first access so the redirect is never silent.
+static CUSTOM_API_BASE_URL: std::sync::LazyLock<Option<String>> =
+    std::sync::LazyLock::new(|| {
+        let url = std::env::var("GWS_API_BASE_URL").ok().filter(|s| !s.is_empty());
+        if let Some(ref u) = url {
+            eprintln!("[gws] Custom API endpoint active: {u}");
+            eprintln!("[gws] Authentication is disabled. Requests will NOT go to Google APIs.");
+        }
+        url
+    });
+
+/// Returns the custom API base URL override, if set.
+///
+/// When `GWS_API_BASE_URL` is set (e.g., `http://localhost:8099`), all API
+/// requests are directed to this endpoint instead of the real Google APIs.
+/// Authentication is skipped automatically. This is useful for testing against
+/// mock API servers.
+pub fn custom_api_base_url() -> Option<&'static str> {
+    CUSTOM_API_BASE_URL.as_deref()
+}
+
 /// Fetches and caches a Google Discovery Document.
+///
+/// The Discovery Document is always fetched from the real Google APIs so that
+/// gws knows the full command structure (resources, methods, parameters). When
+/// `GWS_API_BASE_URL` is set, the document's `root_url` and `base_url` are
+/// rewritten to point at the custom endpoint — actual API requests then go to
+/// the mock server while the CLI command tree remains fully functional.
 pub async fn fetch_discovery_document(
     service: &str,
     version: &str,
@@ -235,7 +263,20 @@ pub async fn fetch_discovery_document(
         let _ = e;
     }
 
-    let doc: RestDescription = serde_json::from_str(&body)?;
+    let mut doc: RestDescription = serde_json::from_str(&body)?;
+
+    // When a custom API base URL is set, rewrite the Discovery Document's
+    // root_url and base_url so that all HTTP requests go to the custom
+    // endpoint (e.g., a mock server) instead of the real Google APIs.
+    if let Some(base) = custom_api_base_url() {
+        let base_trimmed = base.trim_end_matches('/');
+        doc.root_url = format!("{base_trimmed}/");
+        doc.base_url = Some(format!(
+            "{base_trimmed}/{}/{}/",
+            doc.name, doc.version
+        ));
+    }
+
     Ok(doc)
 }
 

src/executor.rs

@@ -38,6 +38,21 @@ pub enum AuthMethod {
     None,
 }
 
+/// Resolve authentication, skipping OAuth when a custom API endpoint is set.
+///
+/// When `GWS_API_BASE_URL` is set, all requests go to a mock server that
+/// doesn't need (or support) Google OAuth. This helper centralises that check
+/// so every call-site doesn't need to know about the env var.
+pub async fn resolve_auth(scopes: &[&str]) -> (Option<String>, AuthMethod) {
+    if crate::discovery::custom_api_base_url().is_some() {
+        return (None, AuthMethod::None);
+    }
+    match crate::auth::get_token(scopes).await {
+        Ok(t) => (Some(t), AuthMethod::OAuth),
+        Err(_) => (None, AuthMethod::None),
+    }
+}
+
 /// Configuration for auto-pagination.
 #[derive(Debug, Clone)]
 pub struct PaginationConfig {

src/main.rs

@@ -203,11 +203,8 @@ async fn run() -> Result<(), GwsError> {
     // Get scopes from the method
     let scopes: Vec<&str> = method.scopes.iter().map(|s| s.as_str()).collect();
 
-    // Authenticate: try OAuth, otherwise proceed unauthenticated
-    let (token, auth_method) = match auth::get_token(&scopes).await {
-        Ok(t) => (Some(t), executor::AuthMethod::OAuth),
-        Err(_) => (None, executor::AuthMethod::None),
-    };
+    // Authenticate: skips OAuth automatically when GWS_API_BASE_URL is set.
+    let (token, auth_method) = executor::resolve_auth(&scopes).await;
 
     // Execute
     executor::execute_method(

src/mcp_server.rs

@@ -407,10 +407,7 @@ async fn handle_tools_call(params: &Value, config: &ServerConfig) -> Result<Valu
     };
 
     let scopes: Vec<&str> = method.scopes.iter().map(|s| s.as_str()).collect();
-    let (token, auth_method) = match crate::auth::get_token(&scopes).await {
-        Ok(t) => (Some(t), crate::executor::AuthMethod::OAuth),
-        Err(_) => (None, crate::executor::AuthMethod::None),
-    };
+    let (token, auth_method) = crate::executor::resolve_auth(&scopes).await;
 
     let result = crate::executor::execute_method(
         &doc,